CVE-2026-45072
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-45072, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.4.24 until 6.4.40, 7.4.12, and 8.0.12, the development profiler file_excerpt Twig filter escapes PHP files through highlight_string() but interpolates lines from non-PHP files directly into <code> elements, allowing stored XSS against a developer who opens an attacker-written file such as var/log/dev.log in the profiler. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
symfony symfony From 6.4.24 (inc) to 6.4.40 (exc)
symfony symfony From 7.2.9 (inc) to 7.4.12 (exc)
symfony symfony From 8.0.0 (inc) to 8.0.12 (exc)
symfony twig-bridge *
symfony web-profiler-bundle *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45072 is a stored Cross-Site Scripting (XSS) vulnerability in the Symfony PHP framework. The issue occurs in the WebProfiler's `CodeExtension::fileExcerpt()` method, which is responsible for rendering source-code excerpts in the development profiler.

While PHP files are properly escaped using the `highlight_string()` function, non-PHP files are processed differently. The method splits non-PHP files by newlines and directly interpolates their content into HTML `<code>` elements without escaping. This allows an attacker to inject malicious scripts into files that a developer might view in the profiler, such as `var/log/dev.log`.

When a developer opens such a file in the profiler, the injected script executes, leading to a stored XSS attack. The vulnerability affects Symfony versions 6.4.24 to 6.4.39, 7.2.9 to 7.4.11, and 8.0.0 to 8.0.11, as well as related packages like `symfony/twig-bridge` and `symfony/web-profiler-bundle`.

The fix involves properly escaping non-PHP file content using `htmlspecialchars()` before rendering it in the profiler.

Impact Analysis

If you are a developer using an affected version of Symfony, this vulnerability could impact you in the following ways:

  • An attacker who can write arbitrary data to files within your project (e.g., log files like `var/log/dev.log`) could inject malicious JavaScript code into those files.
  • When you view the infected file in the Symfony WebProfiler, the malicious script will execute in your browser, potentially leading to unauthorized actions such as stealing session cookies, redirecting you to malicious sites, or performing actions on your behalf.
  • This could compromise your development environment, expose sensitive data, or allow further attacks against your system or application.

The impact is primarily on developers who use the WebProfiler to inspect files, rather than end-users of the application.

Compliance Impact

This vulnerability could have implications for compliance with common standards and regulations, depending on the context in which Symfony is used:

  • GDPR (General Data Protection Regulation): If the stored XSS attack leads to the exposure or theft of personal data (e.g., session cookies containing user information), it could result in a data breach. Under GDPR, organizations must implement appropriate security measures to protect personal data, and failure to do so could lead to fines or legal action.
  • HIPAA (Health Insurance Portability and Accountability Act): If the affected Symfony application handles protected health information (PHI) and the XSS attack results in unauthorized access to or disclosure of PHI, it could violate HIPAA's Security Rule. This could lead to penalties for non-compliance.
  • Other standards: The vulnerability could also impact compliance with frameworks like ISO 27001, which requires organizations to manage information security risks, or PCI DSS, if the application processes payment card data and the XSS attack leads to unauthorized access to such data.

However, the direct impact on compliance depends on whether the vulnerability is exploited and whether it results in a data breach or unauthorized access to regulated data. Since this is a low-severity vulnerability primarily affecting developers, the risk to compliance may be limited unless the application is used in a high-security environment.

Detection Guidance

To detect this vulnerability on your system, you can check for the presence of affected Symfony versions and inspect files that might contain malicious scripts.

  • Verify the installed Symfony version. The vulnerability affects versions 6.4.24 to 6.4.39, 7.2.9 to 7.4.11, and 8.0.0 to 8.0.11. You can check the version using Composer with the command: composer show symfony/symfony.
  • Inspect log files or other non-PHP files in the project root (e.g., var/log/dev.log) for suspicious content, such as script tags or unescaped HTML. For example, you can use grep to search for script tags: grep -r '<script>' var/log/.
  • Check the WebProfiler for any unusual file excerpts that might contain unescaped HTML or JavaScript. This requires manual inspection of the profiler interface.
Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade Symfony to the latest patched version. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Use Composer to update: composer update symfony/symfony --with-dependencies.
  • If upgrading is not immediately possible, apply the fix manually by modifying the `CodeExtension::fileExcerpt()` method in the TwigBridge component. Ensure that non-PHP file content is escaped using `htmlspecialchars()` with the `ENT_QUOTES` and `ENT_SUBSTITUTE` flags, as shown in the fix commit (Resource 2).
  • Restrict write access to log files and other non-PHP files in the project root to prevent attackers from injecting malicious scripts. Use file permissions to limit access: chmod 640 var/log/dev.log.
  • Monitor the WebProfiler for any unusual activity or files that might contain unescaped content. Avoid opening suspicious files in the profiler until the system is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45072. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart